PE 2025.4.0

Released June 2025

Puppet Enterprise (PE) 2025 is our leading-edgePE release stream (also referred to as STS).

For important information about upgrading to 2025, see Upgrading Puppet Enterprise.
If you're on the LTS stream (2023.8), you'll find release notes and other information for that series in the 2023.8 documentation.
Customers on 2021.7.z, which is EOL, are encouraged to upgrade to 2023.8.z.
To access End-of-Life (EOL) dates and maintenance information, see PE End-of-Life (EOL).

To access the release notes for the Puppet^® platform, including Puppet agent, Puppet Server, Facter, and PuppetDB, see Platform release notes.

Features

Launch of Puppet Enterprise’s AI-powered Infra Assistant

The Puppet Enterprise Infra Assistant introduces an AI-powered natural language interface for exploring infrastructure data. It enables authenticated users to ask free-form questions about their environment and receive contextual and accurate responses based on data from the Puppet Enterprise APIs. The Infra Assistant is part of the PE console and it is designed to be used by technical and non-technical users.

The Infra Assistant is not turned on by default; it is an opt in feature. Puppet Enterprise leverages AI providers to ensure enterprise grade security and protection.

For more information on the Infra Assistant, see Enabling the Infra Assistant.

Advanced Patching: PE console support for dynamically updating patch groups

This feature supports rules-based membership, where nodes are dynamically included in patch groups according to fact matching.

Users can create patch groups with dynamic rules
Users can inspect the rules applied to patch groups on the patch group details

Advanced Patching API: New field and optional url parameter added

Field added to GET /v1/patch-jobs/{id}
- job_type

Optional url parameter added to GET /v1/patch-groups/{id}/nodes
- detailed

Puppet Enterprise API: New groups endpoint

GET /v1/groups/:id/nodes: Resolves all the nodes associated with a node group. This endpoint combines all the rules for the group and queries PuppetDB for the result.

Orchestrator API: New endpoints added

This feature includes several new endpoints:

GET /v1/constraints: Get the list of known constraints
POST /v1/constraints: Create a new constraint
GET /v1/constraints/{id}: Get a single constraint identified by the name parameter

Self-service automation: Fine grained RBAC for plans

When plans are assigned to a user, they only run on nodes the user is authorized to administer.

The permissions model of plans mirrors the model previously used for tasks. However, the underlying execution model for tasks and plans have different security implications:

Task code runs exclusively on managed targets. The orchestrator, prevents a user running with a constraint permission, from executing task code on anything other than the managed targets listed in the constraint.
Plan code runs on the PE primary, and can spawn execution of task code and other types of execution on managed targets. The orchestrator will make a best attempt to prevent execution on unintended hosts by preventing a plan from spawning execution, such as task code, on anything other than the managed targets listed in the constraint. However, because plans always run the plan code itself on the PE primary, and plan code can include arbitrary user written Ruby code, it is vital that code review occurs for each plan used to ensure that untended execution isn’t permitted.

AI-powered search for product information

On the main page of the Puppet Enterprise documentation site, you can now enter a question to get an AI-generated answer. Optionally, you can filter your search by product. Answers combine content from the current version of the product documentation and the Perforce knowledge base. This new search experience helps you locate information more efficiently.

Enhancements

Advanced patching: Usability on patch job screen improvements

In PE 2025.4.0, the patch job screens have been updated in order to improve usability. Usability improvements include:

Terminology updated to differentiate between types of patch jobs:

System updates: Apply available general package and software updates to maintain and secure your systems.

Vulnerability remediation: Apply the specific package and software updates required to remediate detected vulnerabilities on affected systems.
Side navigation terminology and page titles updated i.e. ‘Overview’ has been replaced with ‘System updates’.

Job type column added to the scheduled patch jobs table.

Platform support

Agent platforms added

This release adds support for the Puppet agent on the following operating system platforms:

macOS 15 x86_64

Resolved issues

Advanced Patching: Node group enforcement no longer fails when the config-data option is disabled

In PE 2025.0.0-2025.3.0, if the config-data option was disabled, the operations to configure the node groups failed. This has been fixed in 2025.4.0.

Advanced Patching: Storage of vulnerabilities issue fixed

In previous releases of PE, an issue in relations to the storage of vulnerabilities resulted in the vulnerability process being unable to function properly. This has been resolved in 2025.4.0.

Puppet CA API requests no longer occurring with empty query parameters

In previous versions of Puppet Enterprise, a question mark was appended in requests to the Puppet CA even when there were no query params present. While harmless, this could cause log analysis confusion. This has been fixed in 2025.4.0 and 2023.8.4.

Re-enabled Host Action Collector load issue fixed

In PE 2023.8.0-2023.8.3 and 2025.0.0-2025.3.0, for customers with large numbers of nodes, when the Host Action Collector is offline for a period of time and unable to process events and then enabled, a large number of events are processed and associated replicas may be unable to keep up with the load.

In PE 2025.4.0 and 2023.8.4, this issue has been addressed with the following fixes:

Locking was added to ensure that delete operations are successful when removing data from the database.
An index was added to help improve performance of certain lookups.
An internal routine was modified to be time-boxed rather than restricted to a specific number of interactions.
Some output was lowered to a debug level of output to help reduce log noise.

Clojure HTTP Client default log level changed from ERROR to DEBUG

An addition to logging in the Clojure HTTP client library, used by the Puppet Enterprise services, was introduced in PE 2025.1.0 and 2023.8.2 at the ERROR level. This was determined to be overly noisy and has been changed to the DEBUG level in PE 2025.4.0. Users who wish to restore the logging to the ERROR level can make that change through this addition to the appropriate service’s logback.xml (for example, /etc/puppetlabs/console-services/logback.xml):

<logger name="com.puppetlabs.http.client.impl.JavaClient" level="DEBUG"/>

In PE 2023.8.2-2023.8.4, the logging is still at the ERROR level. This will be addressed in an upcoming release.

Lockless plans no longer fail to generate version folders

In PE 2023.8.0-2023.8.3 and 2025.0.0-2025.3.0, lockless plans failed to generate version folders. This issue has been fixed in PE 2025.4.0 and 2023.8.4.

In PE 2023.8.4 and 2025.4.0, code deployment no longer fails from AzureDevOps with an Unable to exchange encryption keys error when using SSH

In PE-2021.7.9, 2023.8.0-2023.8.3 and 2025.0.0-2025.3.0, deploying code via r10k or Code Manager from Azure DevOps (ADO) with a rsa-sha2 key fails with an Unable to exchange encryption keys error. This issue has been fixed in 2023.8.4 and 2025.4.0.

Security fixes

Addressed the following CVEs:

CVE-2025-48734
CVE-2025-5459
CVE-2025-49007
CVE-2025-46727
CVE-2024-11053
CVE-2024-39684

CVE-2024-38517